🛡️ Sentinel: Fix sensitive data exposure in backup logs

[kidchenko]

🛡️ Sentinel: [CRITICAL/HIGH] Fix sensitive data exposure in logs

🚨 Severity: HIGH
💡 Vulnerability: Git remote URLs containing authentication tokens (e.g. https://user:token@github.com/...) were being logged to plain text files (git-repos.log) and printed to stdout.
🎯 Impact: If a user's logs are exposed or if they share their screen/logs, their Personal Access Tokens could be compromised, granting unauthorized access to their repositories.
🔧 Fix: Added a sanitization step using sed to mask credentials in the URL (replacing ://user:pass@ with ://***@) before logging or printing.
✅ Verification: Verified with a reproduction script that creates a dummy repo with a secret in the remote URL, runs the backup script, and confirms the secret is not present in the generated log file.

---

PR created automatically by Jules for task 6917695432768336272 started by @kidchenko

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Masked Git credentials in logs and output to prevent accidental exposure of authentication information.

• Documentation

  • Added security documentation on credential handling in version control operations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

A documentation file and shell script update address Git credential leakage in logs. The script now sanitizes remote URLs by masking credentials before logging and user-facing output, while preserving the original URL for actual Git operations.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	New documentation entry (2026-01-30) describing vulnerability where Git remote URLs containing authentication tokens are logged in plain text. Prescribes sanitizing URLs by redacting credentials before logging.
Credential Sanitization Implementation tools/backup-projects.sh	Introduces safe_remote_url variable to mask credentials in Git remote URLs. Replaces remote_url with safe_remote_url in logging and dry-run output while preserving original remote_url for Git operations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A tiny fix to stop the leaks,
Where passwords hid in logging's peaks,
Now URLs masked, credentials safe,
No more credentials in the chaff—
A security hop of wise delight! 🔐✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main change: fixing sensitive data exposure in backup logs by sanitizing Git credentials.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sentinel-fix-git-log-leak-6917695432768336272

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.jules/sentinel.md:
- Around line 1-4: Change the front-matter heading "## 2026-01-30 - Leaking Git
Credentials in Logs" to an H1 ("# 2026-01-30 - Leaking Git Credentials in
Logs"), add a blank line immediately after that heading, and wrap long lines in
the "Vulnerability:", "Learning:", and "Prevention:" paragraphs so each line
stays within the linter's max length (break the long "Prevention: Always
sanitize URLs..." sentence into two or more lines). Ensure the "Vulnerability:",
"Learning:", and "Prevention:" labels remain intact and that the final file has
the H1, one blank line, then the three short, wrapped paragraphs.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix markdownlint violations (H1, blank line, and line length).

The linter is failing on heading level/spacing and line length. Please update the entry to start with an H1, add a blank line after the heading, and wrap long lines.

✍️ Suggested fix

-## 2026-01-30 - Leaking Git Credentials in Logs
-**Vulnerability:** Git remote URLs containing authentication tokens were being logged to plain text files.
-**Learning:** Utilities that aggregate info about git repositories (like backup scripts) often indiscriminately log `git remote get-url`. When users use PATs (Personal Access Tokens) in URLs, these secrets are leaked.
-**Prevention:** Always sanitize URLs (redact `user:password@`) before logging or displaying them.
+# 2026-01-30 - Leaking Git Credentials in Logs
+
+**Vulnerability:** Git remote URLs containing authentication tokens were being
+logged to plain text files.
+
+**Learning:** Utilities that aggregate info about git repositories (like backup
+scripts) often indiscriminately log `git remote get-url`. When users use PATs
+(Personal Access Tokens) in URLs, these secrets are leaked.
+
+**Prevention:** Always sanitize URLs (redact `user:password@`) before logging or
+displaying them.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## 2026-01-30 - Leaking Git Credentials in Logs
	**Vulnerability:** Git remote URLs containing authentication tokens were being logged to plain text files.
	**Learning:** Utilities that aggregate info about git repositories (like backup scripts) often indiscriminately log `git remote get-url`. When users use PATs (Personal Access Tokens) in URLs, these secrets are leaked.
	**Prevention:** Always sanitize URLs (redact `user:password@`) before logging or displaying them.
	# 2026-01-30 - Leaking Git Credentials in Logs
	**Vulnerability:** Git remote URLs containing authentication tokens were being
	logged to plain text files.
	**Learning:** Utilities that aggregate info about git repositories (like backup
	scripts) often indiscriminately log `git remote get-url`. When users use PATs
	(Personal Access Tokens) in URLs, these secrets are leaked.
	**Prevention:** Always sanitize URLs (redact `user:password@`) before logging or
	displaying them.

🧰 Tools

🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 97] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 217] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 106] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2026-01-30 - Leaking Git Cr..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

---

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2026-01-30 - Leaking Git Credentials in Logs"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🤖 Prompt for AI Agents

In @.jules/sentinel.md around lines 1 - 4, Change the front-matter heading "##
2026-01-30 - Leaking Git Credentials in Logs" to an H1 ("# 2026-01-30 - Leaking
Git Credentials in Logs"), add a blank line immediately after that heading, and
wrap long lines in the "Vulnerability:", "Learning:", and "Prevention:"
paragraphs so each line stays within the linter's max length (break the long
"Prevention: Always sanitize URLs..." sentence into two or more lines). Ensure
the "Vulnerability:", "Learning:", and "Prevention:" labels remain intact and
that the final file has the H1, one blank line, then the three short, wrapped
paragraphs.